Share this:

If one of your customers calls or texts you to tell you their system is slow or overheating or gobbling up a lot of power, you need to add a new possible diagnosis to your checklist — cryptojacking.

Cryptojacking is a relatively new threat that has been wreaking havoc across the globe, and MSPs need to be mindful of its arrival. Put simply, cryptojacking is the highjacking of a system so that a cryptocurrency miner can use CPUs for mining cryptocurrency. While ransomware has gotten a lot of attention because files are literally held hostage, cryptojacking comes with its own set of problems.

Not a victimless crime

“Cryptojacking, while more stealthy than ransomware, is definitely not a victimless crime,” Troy Mursch, a security researcher and author of the Bad Packets Report, tells Smarter MSP. He says affected users will notice their device slowing to a crawl due to the high CPU usage of the attack, as well as higher electricity bills. Mursch says this happens because the hashing associated with cryptocurrency mining is very intensive. And, more CPU resources require more energy.

“This process also generates a lot of heat and such [so] we’ve seen physical damage in some cases with mobile devices,” Mursch says.

While most people were devouring their turkey, stuffing, and cranberry sauce on Thanksgiving Day, Mursch was busy discovering one of the largest cryptojacking campaigns to date, an invasion of more than 1,500 websites including such prominent brands as Crucial Memory and Everlast Worldwide. You wouldn’t think an IT company like Crucial Memory and a boxing equipment maker like Everlast would have much in common. But, both those marquee — and completely unrelated — brands used the same customer support live chat widget on their site. The widget had been compromised, and the cryptojacking campaign spread from there. The most common way for a cryptojacking campaign to occur isn’t from someone targeting a particular system. It’s hacking websites, and then following the users from there and leveraging the available power.

How can MSPs fight back?

Fortunately, there are tools available to help MSPs combat cryptojacking. Mursch, who has discovered many of the largest cryptojacking outbreaks, recommends using an extension at the browser level called minerBlock, which is available for Chrome and Firefox. The extension only blocks cryptojacking script, not ads.

For MSPs, Mursch also advises implementing network-level blocks by using firewalls. A frequently updated list of cryptojacking/cryptomining-related domains is available via the CoinBlockerLists. While this method, Mursch says, is not 100-percent effective since many domains/IPs frequently change, it will help stop the vast majority of illicit cryptomining. And for both end users and MSPs, Mursch recommends some form of monitoring. This can be as simple as checking the task manager for unusually high CPU usage or as intensive as a full-scale monitoring application for your customers’ server/cloud infrastructure.

“In either case, a little vigilance goes a long way in preventing cryptojacking,” Mursch says.

Interestingly, Bitcoin is not the currency of choice for miners. Monero and Zcash are cryptocurrencies that are built around anonymity, and detection by law enforcement is extremely difficult.

At the MSP level, cryptojacking can be very difficult to detect without an outward manifestation such as a slow-running system like the one Mursch describes.

An MSP perspective on cryptojacking

“It doesn’t appear to produce any dramatic or destructive results. It appears to use the computing power of the host computer for mining of the desired payload,” Burgess says, adding that the cryptojacking attack can slow down the computer.

“But, it is unlikely that it would be anything more than an annoyance to the user, interfering with productivity primarily,” Burgess says. “It would be rather difficult to even calculate the increased power usage.”

Burgess says the danger is that the attack may be more of a proof-of-concept that future bad guys might exploit, which could result in a more destructive event.

Inside threats

Another front in the cryptojacking war that MSPs need to watch, according to the MIT Technology Review,are “inside jobs.” Employees with high-level network privileges and the technical know-how to set up a mining operation can reap big profits while compromising your customers’ equipment and credibility. These inside jobs can be very difficult to detect, though. (A skyrocketing electric bill is a good clue.)

While Mursch believes the “gold rush” days of cryptojacking may be waning, the threat will remain as long as there is money to be made.

“I believe we’ll still be dealing with cryptojacking in the future as long as there’s some type of cryptocurrency to mined,” Mursch says.

Craig Petronella, CEO of Petronella Technology Group, Inc and an IT security expert, tells Smarter MSP that one of the appeals of cryptojacking is that “it is easy money for hackers.” He adds that in the future cryptojackers will become more sophisticated and even harder to detect.

So, warn your customers that if one of their computers does start running very slow or their mobile device feels like it could roast a marshmallow, they just might want to give your team a call!

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.